Re: (ITS#6466) certificateListValidate rejects valid X.509 CRLs (but not RFC-compliant) - openldap-bugs

31 Jan 2010


      Hodie III Kal. Feb. MMX, Howard Chu scripsit:
...
erwann.abalea@keynectis.com wrote:
...
...
When no certificate is revoked, the revokedCertificate element SHOULD be
omitted, instead of being included as an empty SEQUENCE OF SEQUENCE. RFC5280 has
changed the SHOULD into a MUST, but I don't think this is checked by the
function. I think it only skips over the next element (in my case, the
crlExtensions).
Thanks for the report. The code in CVS HEAD has been patched to
silently accept this case. However, it's worth pointing out that
even in X.509(2005):
Thank you for having corrected it.
...
...
...
...
...
    If none of the certificates covered by this CRL have been revoked,

it is strongly recommended that
revokedCertificates parameter be omitted from the CRL, rather than being
included with an empty SEQUENCE.
<<<<
That's what I meant to write when I wrote that the element SHOULD be
omitted. X.509 doesn't prevent such an empty sequence, it only
strongly recommends to avoid it. A strong recommendation in ISO
terminology is as a SHOULD in RFC2119 meaning. You're right, here.
...
Also note that, technically, LDAP is defined to conform to the 1993
edition of the X.500 specs, and X.509(1993) makes no such allowance
here.
I didn't know that LDAP was designed to conform to a specific edition
of the standard. Isn't that strange? After all, it should also refuse
to handle X.509v2 CRLs, and X.509v3 certificates, which appear for the
first time in the 1997 edition.
Anyway, I hadn't thought about looking at older revisions of the X.509
standard. You're right, my 1997 edition doesn't say anything about
this, and my 2000 edition (a french version) has the same text as the
2005 one.
...
We may consider logging a warning for this case. What software
generated this CRL? It seems to be defective...
At first, I also thought it was defective. But after all, the standard
doesn't say that this revokedCertificates element MUST be eliminated
when no certificate is revoked (I use RFC2119 terminology here, but
you certainly got it).
I certainly will produce a warning to the software vendor, though. In
general, I tend to follow "SHOULD" rules. I don't know what software
produced this CRL (yet), I only know who uses it (one of our
customers). I'll get in touch with them for that. In the same time,
I'll check that we correctly do our job (we're also a PKI software
vendor).
Anyway, thank you again. I'll test the head version and will come back
later.
BTW, what do you mean by "needs some thought" (in the ticket notes)?
-- 
Erwann ABALEA erwann.abalea@keynectis.com
-----
"Common sense is the collection of prejudices acquired by age 18."
- Albert Einstein